I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: >> INSERT THREAD <<

High-level overview

This thread will cover installation of a certificate authority (CA) server for the purpose of issuing your own certificates for your LAN.

This process will involve two servers. The root CA server will be installed and issue a certificate to an intermediate CA server. The root CA server will then be taken offline and stored in a safe place. The intermediate server will then become the server that will issue certificates to your other servers and the root certificate will need to be installed on all your machines so any certificates issued by the intermediate server will be automatically trusted.

This scenario is perfect for servers that are not accessible from the web or when using local domain names like mydomain.local.

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. And as such, this information will be noted in this section. They will be highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for you will use in your environment.

Local domain: mydomain.com

Ubuntu Server name: srv-ca-root

Ubuntu Server IP address: 192.168.107.69

Ubuntu Server name: srv-ca-im

Ubuntu Server IP address: 192.168.107.70

Ubuntu Admin ID: administrator

Ubuntu Admin Password: myadminpass

Root CA Private Key Passphrase: myrootcapass

It is also assumed the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it.

It is assumed that the servers were configured according to that article with the exceptions that the assumptions in red (variables above) are used instead of the assumptions in that document since we are building a specialized server.

You can test it by starting a test web service and opening a browser on your PC to look at the certificate. (NOTE: This will not work if you do not install the recently-created root CA certificate as a trusted CA on your PC)

Now open a browser on a desktop PC and visit https://192.168.107.69:4433 and use the browsers ability to look at the certificate.
Once done with the browser test, switch back to the server and press CTRL+C to break out of the SSL server test.
Now remove the firewall rule that allowed access on the test 4433 port: